Rackspace Community

Scanning for Rootkits with chkrootkit

Article ID: 430

Last updated on January 23, 2015

Authored by: Rackspace Support

Up-to-date and secure installations, firewalls, limited ssh access and strong passwords are all basic and essential aspects of security. However, continued active monitoring of server content for malware is also necessary.

One method of monitoring content is to scan for rootkits.

Contents

Note

Scanning for rootkits will not stop all attacks, it is not an active defense. If your server has been compromised then a scan will not stop the rootkit. Unfortunately, the presence of a rootkit is a clear indication that your server security has been compromised will need to be rebuilt.

It is worth finding out how the rootkit got into your server in the first place so it doesn't happen again but you will still need to reinstall.

This article is about the scanning mechanism rather than identifying how something may have entered your system. It is only about checking the validity of the server content.

chkrootkit

Scanning is easily done with a program called chkrootkit. This can also be automated so you don't have to log in and scan on a daily basis.

We're going to install chkrootkit from source. It is available from most repositories but installing from source ensures we have not installed a compromised scanning system (sadly, it's been known to happen!).

Let's begin. Log into your VPS and navigate to your sources directory (or create one if you don't have one you normally use). The sources directory can be placed anywhere. Placing it in root's home directory can make it easier to find and maintain, so we'll do that in our examples.

sudo mkdir /root/sources
cd /root/sources

Download

Download the latest chkrootkit version (this command will always fetch the latest version):

sudo wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

md5 check

To check that the file you have is the same file that chkrootkit.org intended you to have, check the md5 signature. To do this enter:

md5sum chkrootkit.tar.gz

This will create an output that is unique to the downloaded file - check this with the md5 signature which is available from a mirror website (see the note below):

http://www.reznor.com/tools/chkrootkit.md5

Note: You may notice that we have checked the md5sum from a different server. On something as important as this, we want to make sure we don't have a questionable download.

If the two don't match then you have a compromised download. You will notice as you download more and more source code that they all have md5 or other style of signatures for integrity checks.

Unpack

Unpack the download and move into the new directory:

sudo tar xvfz chkrootkit.tar.gz
cd chkrootkit-0.47

In this example, we downloaded and unpacked version 0.47 - remember the download command above will always download the latest version.

Make

Now you need to compile the program which will take less than 2 seconds:

sudo make sense

You can keep the folder in your sources directory or move the whole thing elsewhere more convenient for you. In this example, we will keep it in the sources directory.

Run

To run the chkrootkit, simply give the command as the sudo user:

sudo ./chkrootkit

The output on the demo server should give the all clear, but a warning may look something like this: